Search

Subscribe

Government Secrets and the Need for Whistle-blowers

Yesterday, we learned that the NSA received all calling records from Verizon customers for a three-month period starting in April. That's everything except the voice content: who called who, where they were, how long the call lasted -- for millions of people, both Americans and foreigners. This "metadata" allows the government to track the movements of everyone during that period, and build a detailed picture of who talks to whom. It's exactly the same data the Justice Department collected about AP journalists.

The Guardian delivered this revelation after receiving a copy of a secret memo about this -- presumably from a whistle-blower. We don't know if the other phone companies handed data to the NSA too. We don't know if this was a one-off demand or a continuously renewed demand; the order started a few days after the Boston bombers were captured by police.

We don't know a lot about how the government spies on us, but we know some things. We know the FBI has issued tens of thousands of ultra-secret NationalSecurityLetters to collect all sorts of data on people -- we believe on millions of people -- and has been abusing them to spy on cloud-computer users. We know it can collect a wide array of personal data from the Internet without a warrant. We also know that the FBI hasbeenintercepting cell-phone data, all but voice content, for the past 20 years without a warrant, and can use the microphone on some powered-off cell phones as a room bug -- presumably only with a warrant.

We know that the NSA has many domestic-surveillance and data-mining programs with codenames likeTrailblazer, Stellar Wind, andRagtime -- deliberately using different codenames for similar programs to stymie oversight and conceal what's really going on. We know that the NSA is building an enormous computerfacility in Utah to store all this data, as well as faster computer networks to process it all. We know the U.S. Cyber Command employs 4,000 people.

We know that the DHS is also collecting a massive amount of data on people, and that local police departments are running "fusion centers" to collect and analyze this data, and covering up its failures. This is all part of the militarization of the police.

Remember in 2003, when Congress defunded the decidedly creepy Total Information Awareness program? It didn't die; it just changed names and split into many smaller programs. We know that corporations are doing an enormousamount of spying on behalf of the government: all parts.

We know all of this not because the government is honest and forthcoming, but mostly through three backchannels -- inadvertent hints or outright admissions by government officials in hearings and court cases, information gleaned from government documents received under FOIA, and government whistle-blowers.

There's much more we don't know, and often what we know is obsolete. We know quite a bit about the NSA's ECHELON program from a 2000 European investigation, and about the DHS's plans for Total Information Awareness from 2002, but much less about how these programs have evolved. We can make inferences about the NSA's Utah facility based on the theoretical amount of data from various sources, the cost of computation, and the power requirements from the facility, but those are rough guesses at best. For a lot of this, we're completely in the dark.

And that's wrong.

The U.S. government is on a secrecy binge. Itoverclassifiesmoreinformationthanever. And we learn, again and again, that our government regularly classifies things not because they need to be secret, but because their release would be embarrassing.

Knowing how the government spies on us is important. Not only because so much of it is illegal -- or, to be as charitable as possible, based on novel interpretations of the law -- but because we have a right to know. Democracy requires an informed citizenry in order to function properly, and transparency and accountability are essential parts of that. That means knowing what our government is doing to us, in our name. That means knowing that the government is operating within the constraints of the law. Otherwise, we're living in a police state.

We need whistle-blowers.

Leaking information without getting caught is difficult. It's almost impossible to maintain privacy in the Internet Age. The WikiLeaks platform seems to have been secure -- Bradley Manning was caught not because of a technological flaw, but because someone he trusted betrayed him -- but the U.S. government seems to have successfully destroyed it as a platform. None of the spin-offs have risen to become viable yet. The New Yorker recently unveiled its Strongboxplatform for leaking material, which is still new but looks good. This link contains the best advice on how to leak information to the press via phone, email, or the post office. The National Whistleblowers Center has a page on national-security whistle-blowers and their rights.

Leaking information is also very dangerous. The Obama Administration has embarked on a waronwhistle-blowers, pursuing them -- both legally and through intimidation -- further than any previous administration has done. Mark Klein, Thomas Drake, and William Binney have all been persecuted for exposing technical details of our surveillance state. Bradley Manning has been treated cruelly and inhumanly -- and possibly tortured -- for his more-indiscriminate leaking of State Department secrets.

The Obama Administration's actions against the Associated Press, its persecution of Julian Assange, and its unprecedented prosecution of Manning on charges of "aiding the enemy" demonstrate how far it's willing to go to intimidate whistle-blowers -- as well as the journalists who talk to them.

But whistle-blowing is vital, even more broadly than in government spying. It's necessary for good government, and to protect us from abuse of power.

We need details on the full extent of the FBI's spying capabilities. We don't know what information it routinely collects on American citizens, what extra information it collects on those on various watch lists, and what legal justifications it invokes for its actions. We don't know its plans for future data collection. We don't know what scandals and illegal actions -- either past or present -- are currently being covered up.

We also need information about what data the NSA gathers, either domestically or internationally. We don't know how much it collects surreptitiously, and how much it relies on arrangements with various companies. We don't know how much it uses password cracking to get at encrypted data, and how much it exploits existing system vulnerabilities. We don't know whether it deliberately inserts backdoors into systems it wants to monitor, either with or without the permission of the communications-system vendors.

And we need details about the sorts of analysis the organizations perform. We don't know what they quickly cull at the point of collection, and what they store for later analysis -- and how long they store it. We don't know what sort of database profiling they do, how extensive their CCTV and surveillance-drone analysis is, how much they perform behavioral analysis, or how extensively they trace friends of people on their watch lists.

We don't know how big the U.S. surveillance apparatus is today, either in terms of money and people or in terms of how many people are monitored or how much data is collected. Modern technology makes it possible to monitor vastly more people -- yesterday's NSA revelations demonstrate that they could easily surveil everyone -- than could ever be done manually.

Whistle-blowing is the moral response to immoral activity by those in power. What's important here are government programs and methods, not data about individuals. I understand I am asking for people to engage in illegal and dangerous behavior. Do it carefully and do it safely, but -- and I am talking directly to you, person working on one of these secret and probably illegal programs -- do it.

If you see something, say something. There are many people in the U.S. that will appreciate and admire you.

For the rest of us, we can help by protesting this war on whistle-blowers. We need to force our politicians not to punish them -- to investigate the abuses and not the messengers -- and to ensure that those unjustly persecuted can obtain redress.

Our government is putting its own self-interest ahead of the interests of the country. That needs to change.

EDITED TO ADD (6/10): It's not just phone records. Anothersecretprogram, PRISM, gave the NSA access to e-mails and private messages at Google, Facebook, Yahoo!, Skype, AOL, and others. And in a separate leak, we now know about the Boundless Informant NSA data mining system.

The leaker for at least some of this is Edward Snowden. I consider him an American hero.

EFF has a great timeline of NSA spying. And this and this contain some excellent speculation about what PRISM could be.

Someone needs to write an essay parsing all of the precisely worded denials. Apple has never heard the word "PRISM," but could have known of the program under a different name. Google maintained that there is no government "back door," but left open the possibility that the data could have been just handed over. Obama said that the government isn't "listening to your telephone calls," ignoring 1) the meta-data, 2) the fact that computers could be doing all of the listening, and 3) that text-to-speech results in phone calls being read and not listened to. And so on and on and on.

I'm sure there are lots more things out there that should be read. Please include the links in comments. Not only essays I would agree with; intelligent opinions from the other sides are just as important.

Having recently finished reading your book "Liars and Outliers", I see this unilateral surveillance as a cost problem: it costs less to store everything and wait for better machine learning algorithms to find the needles, rather than hiring and training analysts to gather data in real time and discard everything else.

Of course, even hiring people for real-time blanket surveillance is wrong (not only because it was pioneered by the STASI).

Also, there's no incentive for any government to stop this behaviour, for the usual "cover your ass" security paradigms you explained several times. That's why I'm curious in exploring possible solutions: for example, moving away from US-based companies might leverage their lobbying power. And so on.

I was waiting to see your comment on all of this. Wired magazine has a good article on the NSA Utah site with some extrapolations on size.

The thing about this that scares me the most is how many people in the general population do not see anything wrong with this. The see the news and say "so what." I've talked with several people and generally get the "so what" answer or a complete lack of understanding.

I think back to your comments on the Patriot Act, you called it right. We have made a steady progression from bad to worse since then.

You can write all the essays you want. People seldom read more than a paragraph or two of anything anymore. The fact is, what you're seeing is largely media puff. McCain was interviewed and seemed dismayed "...these people voted for the Patriot Act, didn't they even read it before voting on it?" Same on this blog and others, it'll blow over in a week and the story will burn out and absolutely nothing will change.

The really sad thing here, is this is nothing new. In the 90s, there were whispers of the ECHELON system, even a "Jam ECHELON Day". The Clinton administration brought us the proposed CARNIVORE system, and Bruce already mentioned the "Total Information Awareness" program of DARPA, in George W. Bush's first term.

This has been developing for possibly 20 years or more, gaining capability and reach pretty much continuously. This is only a surprise if you weren't paying attention. . .

But is there anything that would prevent the US from spying on UK citizens and providing that information to the UK, and then have UK spy on US citizens and provide that information to the US?

The simple answer is "this is what has been happening since the end of WWII".

I've mentioned the history of this on this blog a number of times in the past along with some details of bases used and which military units were used (all of which has been up on the net for years from multiple sources including photos and memories, and in various books etc).

So briefly,

The history of it starts in WWII and the "Ultra Secret" the US had little or no knowledge of the German Enigma system (the US cryptographers were concentrating on japanese codes and ciphers). This started to hurt the US badly with German U-Boat activity close to the US East Coast. After considerable negotiation at the political (not technical) level various agrements came into place and intercepts, technology and personnel swaps started.

Towards the end of the war the British technical staff realised that they were starting to lose supremacy in the game due to lack of technical / industrial resources so they proposed what eventually became the BRUSA agrement that formed the first seed of what became the "Special Relationship".

Due to the cold war it was realised that to catch spies then it required a country to spy on it's own citizens involved in secret work of all types. However various bits of legislation prevented this.

So yes the UK spyed on US citizens and the US spyed on UK citizens. But such monitoring was a bit of a joke in that nearly all the equipment used and backend processing was carried out in the US by US personnel. The UK only provided front end "operators" who handed over the "tapes" to the NSA who processed and occasionaly returned some of the intel gained.

However BRUSA expanded with time and most WASP nations are now fully paid up members of the club (NZ being the only one to sort of leave for political reasons).

It is interesting to note that it is now not just WASP nations due to the EU first Northern Protestant European and then Catholic and Sothern European nations have joined as associate etc members. The US also has "one to one" relationships with other nations who in turn have one to one relationships with other BRUSA member nations. One such is Israel, the down side of this is "intel spirals" giving "confirmation bias" which came rather publicaly to light of the "Yellow Cake" and other WMD stories prior to the Iraq war.

It's a catch 22 for fuck-up-idness, sure they are gathering everything on everyone, but still can't make heads or tails of it. None of this information seemed to make a difference with the Boston bombers, and probably dozens of other incidents. This won't be a "pre-crime" tool, especially if it's run by the current government. They need to UFO people, the real coverup experts to run some shit. Get area 51 fuckers out of their status tubes and tell them how to overhaul it so they won't be caught.
Seriously though, there are so many ways to communicate that if you don't want to be caught you will not be. These systems are for 20/20 afterward vision, so they might help predict something in the future, or bring pressure on other targets during an investigation. This is not and will probably never be a real-time preventative program.
When there is talk of having control or oversight, that's all fine and good, but in reality the only thing an analyst has to do is click a button, and it's done. He/She can abuse their power just like anyone, it's not like you have to scan in a court order before it's physically possible for you to click that button. You're SUPPOSED to get a direct order before doing so, but common, there is nothing else stopping someone from issuing a wiretap, other than a procedure on paper. So can we get real and talk about how there is no REAL control over who does what other than the possibility of losing ones job for doing so if not authorized. It's not the Judge doing the clicking, it's some analyst in a dark NOC doing it, while RedTube plays on the other screen next to them.
+~torz~+

The rhetoric in these situations is that the whistleblower has heinously engaged in an action that will help "the enemy". These days, the enemy is terrorists.
The jingo-istic, knee-jerk reacting thugs who don't ever pause before they open their mouths will assert that whistleblowers like Mr. Snowden are, themselves, terrorists, because they have provided aid to the terrorists, as it were.
Mr. Snowden asserts that he has taken care not to leak information that would identify any individual who my be put in harm's way. Mr. Snowden is not being accused of any violent act, not to mind a violent act intended to terrorise.
Therefore, the aforementioned thugs can only be assumed to imply that objecting to what the US government does is terrorism.

(a) Isn't this how the current governments of Russia, Turkey, Syria, Zimbabwe, Egypt approach dissent too?

(b) Doesn't the loosening of the term "terrorism" run the risk of trivialising it too?

"Leaking information is also very dangerous. The Obama Administration has embarked on a war on whistle-blowers, pursuing them"
-----
Why not also talk about what happened with the IRS and selective targeting of groups exercising their 1st Amendment rights?

My first thought when hearing about PRISM and the other NSA surveillance was that by collecting so much information in such broad terms that the amount of noise in the data would make finding anything useful or actionable nearly impossible. Do we know anything about the analysis techniques that make it seem likely that suspicious activity would come out of the data without an overwhelming number of false positives?

"the NSA has not received any personally identifiable information of the callers. For that, they need a court order."

First of all, the really big news here is Snowden's personal story of how he, a nobody analyst, could without any sort of restrictions look up anyone he wants to.

And, as we see, while he did work at the CIA, where he was working as this analyst who could look up everything about anyone was at a corporation. He was paid 200,000 a year and is 29 years old.

If Snowden could do this, what could people in power do?

Onto the facts about what that metadata gives, the critical piece does not offer any. It simply says, "They would still need a court order". We have seen that these "court orders" mean that one of them can give blanket surveillance on everyone, so that is a joke. Further, these courts are completely secret, and without any manner of controls. This is like what the founders of this country opposed. A bunch of guys in government colluding together against the rights of ordinary citizens. Stamping the word "court" on there is just stamping a layer of white wash paint.

More importantly, does it take much to think about the ramifications of getting this metadata on everyone? Say you have access to this system. You want to find out who someone is, who they know, where they have been (cell tower data). That is what this metadata gives you. You can trace out everyone networks of friends, family, and colleagues.

Call records, just the number of whom you call and how long you talked tells authorities about affairs. We have seen this in many murder cases. It also basically tells the authorities about anything else. Who is important to you. Who you know, and who you know -- who they know.

@Peter: I work at a Big Data analytics company. The data discussed here isn't even that big, relatively speaking. If you imagine, say, 10 metadata points per day for 300M citizens, it's 3B rows/day, or about ~1T rows/year. Machine learning techniques are getting much, much better at filtering signal from noise at pretty large scales. Large parts of that 1T can be ignored or just learned into a model, and ML can show you how to avoid keeping it all around - or at least, not having to use all the data all the time.

One of the differences between the 90s and today is just how much processing power we have. Human events, specially transactional events like phone metadata, credit cards, etc., are actually easy to track in today's systems, and the ML techniques have gotten so advanced that, basically, humans are boring.

That's not to say that there aren't false positives. Most of these systems work by surfacing a probability-of-anomaly to a human, then a human goes and looks at it. It then becomes a business decision where you set the probability threshold. Or whatever metric you choose. Basically, the system is around to help you find the needle in a haystack, or at least a bunch of needle-like things that humans could filter well enough.

On another note, it is also of interest to power via "Green IT", to reduce emissions - to reach emissions targets (another National Security topic). So with all this wet dream of all data of everybody we probably have forgotten to focus on the real problems - the things which feed us and keep our Society together.

The people I know that are under 30 years old do not care about this. Info Sec professionals have failed to help them understand why this matters by making a real-life case without hysterics or far-fetched hypotheticals.

What happens if the NSA volunteers this information without GCHQ asking?

(i.e. We would never, never break the law in asking for information about person X. So we aren't asking for it. Our lawyers say we can't ask for it, so we aren't. Our lawyers say that we can't even say that we would be happy to see someone mysteriously volunteer this information, so we aren't saying this either.)

> The idea that in GCHQ people are sitting working
> out how to circumvent a UK law with another agency
> in another country is fanciful. It is nonsense."

There is nothing in the PPD that affords a classification, this is public policy...that is unless the President of the United States believes he or she is the executive to a democratic republic without citizens..

I have include a section of the PPD released last week and have a few markups--

Malicious Cyber Activity:

Activities, other than those authorized by or in accordance with U.S. law1, that seek to compromise or impair the confidentiality, integrity, or availability of computers, information or communications systems, networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon.

Operations and related programs or activities conducted by or on behalf of the United States Government, in or through cyberspace, for the primary purpose of collecting intelligence -- including information that can be used for future operations -- from computers, information or communications systems, or networks with the intent to remain undetected. Cyber collection entails accessing a computer, information system, or network without authorization from the owner or operator of that computer, information system, or network or from a party to a communication or by exceeding authorized access. Cyber collection includes those activities essential and inherent to enabling cyber collection, such as inhibiting detection or attribution, even if they create cyber effects.

NWFOR

--------------------------------------

COMMENT: This activity, in violation of federal law, percolates from the same stench that defines it as unlawful (by way of US Public Law), an extreme exercise in hypocrisy is obvious. //COMMENT

Activity and action specified above can best be described as woefully misguided; the usurping and collection/penetration of ANY who knows what device (computers, information or communications systems, or networks with, unauthorized systems is not properly bounded. Three features either violate or persist in a manner unfamiliar to any exercise in modern law. One would have to return to the Spanish Inquisitions to replicate the authority and power granted governmental and non-governmental entities--this goes well beyond anything resembling jurist prudence:

The Compromise to host systems, in violation of the multiple public laws and the constitution, for an indeterminate period of time. This includes the so called third party doctrine (and with commercial companies become qualified protecting entities--there is no limitation.

No termination or minimization of storage or use of collected data

--------------------------------------

Defensive Cyber Effects Operations (DCEO):

Operations and related programs or activities other than network defense or cyber collection - conducted by or on behalf of the United States Government, in or through cyberspace, that are intended to enable or produce cyber effects outside United States Government networks for the purpose of defending or protecting against imminent threats or ongoing attacks or malicious cyber activity against U.S. national interests from inside or outside cyberspace.

--------------------------------------

U.S. FEDERAL AGENCIES, ACTING UNILATERALLY, CAN AFFECT DESTRUCTIVE ACTIVITY UPON FOREIGN AND DOMESTIC PARTIES (CYBER ASSETS DO NOT OPERATE OUTSIDE THE CONTEXT OF HUMAN ACTIVITY, IT IS A SHARED CONTEXT). RECOMMENDING THAT CAUSATION AND CONCRETE ATTRIBUTION MAY NOT HAPPEN IN THIS CONTEXT,

...IMAGINE...

A MALICIOUS OR OVERT ACTION TAKEN BY SOMEONE TO STAGE AN ATTACK FROM A HOSPITAL FACILITY, MAKING IT APPEAR TO BE A NETWORK OWNED BY THE PERPETRATOR. THE PERP CAJOLES THE U.S. DoD TO TAKE/MAKE A REACTIVE RESPONSE, 30 PEOPLE DIE AS THE HOSPITAL ELECTRICAL, ELECTRONIC, AND PATIENT SUPPORT SYSTEMS ATTACKED BY THE U.S.

"At first glance, the growth of the super snooper state revealed this weekend — like one of those giant, hidden funguses that spreads for miles under the forests of upper Michigan — is a striking discovery. But I maintain that there is an inverse correlation between the technical abilities of the government to harvest data and their competence to use it for anything. The salient trend in our government is to become more inept, ineffectual, impotent, and feckless, no matter how big the compost heaps of sheer information it manages to pile up.

For spying on your own citizens, the Nazis and the Soviets were way ahead of us using technology no more elegant than phone bugs and filing cabinets. Our immersive techno-narcissism vests too much awe in computer magic itself. What would hurt much more — and work much better — is if Americans become a nation of snitches."

I was hoping you would talk more about the trade offs between security and privacy. Obviously, this is what all cases like these come down to: the government is tasked with protecting the citizens from terrorist attacks, but also ensuring our privacy and civil rights.

In other contexts, you've talked a lot about how the best way to defend against terrorist attacks is through information. Obviously the scale of these domestic espionage operations, which we are just starting to get a glimpse of, is staggering and alarming, but it certainly does seem like an effective way to uncover and prevent terrorist plots before they cause harm. So where, or how, do we achieve the correct balance?

Obviously, this is a tough question, and the correct balance will likely be different to different people. Presumably, the government is not trying to harm its citizens and probably believes that programs like these do achieve the correct balance. Obviously, a very large number of us who are affected by these operations disagree.

You have a lot of knowledge and good ideas in this area, maybe you can write another essay addressing this idea of balance: how we achieve it, or at least how do we measure it.

While I agree that the secrecy of these programs is really the biggest problem, you should be careful with that line of reasoning: it's the same one that people use to challenge your civil rights and privacy. If you're not doing anything wrong, why should you use encryption? If you haven't stolen anything, why should you object to having your bag searched? If you're not a criminal, why should you care about CCTV?

First of all, Regina Ip is a law-and-order type of person, and she is rather unpopular in Hong Kong because of her hard "law and order" views. (You can read the wikipedia article on her with the very funny looking cartoon). The fact that she thinks that Snowden should leave will convince a lot of people in HK that he should likely to stay.

More quotes from the NYT article....

****While Mr. Snowden — or possibly his personal computer — might be a valuable prize for China’s intelligence agencies, experts were skeptical that China would risk harming relations with the United States by exercising its legal authority to block an extradition request from the Justice Department.

WTF????

If Snowden stays in Hong Kong, then

a) he is a gold mine of intelligence
b) it's going to make it impossible for the US to criticize China on human rights without people giggling
c) it's going to just confuse people. If you have people who want to bring down the Communist Party confused and not sure what side is "good"

**** “I don’t think he’s a big enough fish that Beijing would try to intervene to affect the decision of the Hong Kong authorities one way or the other,” said Willy Lam, a specialist in Chinese government decision-making at the Chinese University of Hong Kong.

WTF???? Anyone who is front page on the NYT is a big fish. Beijing is going to let HK local officials make the call as to what to do, but they'll be someone involved in the decision making.

The other possibility is that he just gets a job as an IT technician and applies for a standard residency visa. If he gets that visa, and he renounces his US citizenship, he then becomes a permanent resident, and at that point he becomes politically undeportable.

Twofish
--If you've never heard of Secret Power, have a read. Not very technical, but interesting. I've wondered who Hager's source is, but I haven't really dug. Basically, legal garbage loopholes; I equate it to malware writing. Plus the bases are also strategically placed for prime interception choke points; like how radio waves bounce around the world.

Law abiding governments have nothing to worry about from whistleblowers. Only war criminals, the corrupt and the dishonest should fear the activities of the media. If you have nothing to hide then you have nothing to worry about :-)

(Clive R. and Dirk Praet I'd also be interested in your opinions of my claims.)

Traceability isn't guaranteed

Plenty of people leaked without a trace over the years. The largest leak was Manning, who wasn't traced: he put too much trust in a person who was an FBI informant. Heck, he wasn't even detected far as we know! CINDER, their top insider threat detection program, is still just a research project. I'm sure they're beefing things up a bit but the current culture in intelligence is many connections and more sharing. If someone has need-to-know about something, they can blend into existing activity. It was long ago decided that trying to access control and log absolutely everything was a monumental task that resulted in nothing getting done. Still true. Works to leakers advantage.

Why he really exposed himself

The video and interviews with Snowden tell us some about his personality. He comes off as a cocky, intellectual type at times. It's no surprise that, while an insider, he ran his mouth too much about what was "wrong" with the company's actions. He said on video he even griped to his bosses. This company was paid huge sums of money to do these things by the powerful military-industrial complex... whose actions they wholy support. There's no doubt that Snowden knew this being a long-time defense guy. Was he seriously thinking his Type A personality, six-figure salary bosses were about to give NSA some kind of ultimatuum about ethical issues? Foolishness at its best.

If Snowden was wise, he would know they didn't care and that this would only red flag him as a possible risk in future counterintel analyses. Not to mention marginalize and reduce career options in his company due to his "disgruntled" behavior or attitude. He should have kept his mouth shut about what he really thought. If he asked questions, it would be rarely, it would be carefully selected coworkers, and done in a way where he came off as non-commital to any particular answer. He would publicly be a company man and good asset. If he couldn't stand it, he could quit a year or two later to move to better work... without suspicion.

How should he leak in his position?

Snowden claimed to be in a position to essentially see (without detection) much of the dirt as it passed by. He would have also seen which groups had access to what data. He could have easily narrowed his focus to something dirty (incl PRISM) tied to one group, pick files that the group as a whole received, siphoned their contents into new files on a new machine [for metadata reasons], and anonymously leaked it to several groups of reporters with experience dealing with govt insiders. Their reputation and the government's inevitable response would validate the leak.

Counterintelligence would begin trying to trace him. A decent sized group of people with access to the files would be suspects. If he had leaked things from multiple groups of access, their main hypotheses would be an insider with broad access (including Snowden). Isolating the files to one group means he's just another suspect in a group with little to no other information to go on. Everyone would have received the file, everyone's machine might have viewed it, and so on. So long as he made it a careful, one off leak, then there would be no reason for them to look into him any more than another suspect.

There's many precedents for this strategy inside and outside of government. In a nutshell, it's called blending in, not drawing attention to yourself, using legitimate [overprivileged] access to your advantage, and misdirecting opponents to focus on someone else. This scenario doesn't guarantee he wouldn't be caught: it merely swings the odds enormously in his favor. Those odds say the man's loved ones would be safe, he'd still be a trusted insider, and he'd wouldn't be burning through money in Hong Kong with an uncertain future.

Conclusion

Snowden has good intentions. I admire his courage to stand up against the corruption. The problem is that the way he did it artificially created a ton of risk for him, reduced future opportunities to do good from the inside, and will likely result in his actions being just another failed gesture in the War on the Surveillance State. A war which the State is winning.

@Twofish: I can confirm that the government has indeed done such things.

While I can't comment on the current scandal specifically, I have been involved in situations where the US Government was not allowed to do certain actions by law, but there was nothing stopping a non-government employee from doing the same things and the employer selling such data to the US Government.

(Reposted in part from another thread. I figured it's more applicable here.)

I think anyone concerned with possible abuse of the current system needs to look less at the system and more at the people running it. Have they abused their positions in a way that benefited them or their business partners at the expense of the American people? Did you say "Yes, many times over for both Bush and Obama administrations?" Then, you have your answer as to whether or not they'd do something unethical with it.

"Comprehensive communication routing information" is the wording in the FISA Court order for Verizon (and certainly all other carriers). That means cell tower information. Effectively, everyone in the US with a cell phone (everyone over age 8) has been followed for the last several years, to within a few hundred feet.

As regards the information not being 1)identified and then 2) processed to draw maps of social, professional and business networks - 1) Are we to believe that the NSA does not own a 'phone book' or that it is not fed updated subscriber data under a similar blanket FISA Court order? And 2) We should simply trust that the NSA does not apply simple algorithms collating our phone, credit card, postal mail, and internet activity to yield a map of relationships, a person's usual behavior hoping to spot anomalous actions?

Recall that it was a less than a month ago that we learned that the FBI had obtained the phone records of AP offices, reporters cell phones, and the phones of family members. They already had it (the FBI was the go-between for the NSA and the tech companies). The separate order was issued to prevent disclosure of the massive surveillance.

What Snowden knows is likely not the whole of how this data is used.
Certainly the power the information gives to the possessor is extraordinary. There is massive potential for massive abuse, court order or no.

Finally, the response released by the office of the Director of the National Intelligence reveals seemingly contradictory statements,

"The government cannot target anyone under the program unless there is an "appropriate, and documented, foreign intelligence purpose" for the acquisition. Those purposes include prevention of terrorism, hostile cyber activities or nuclear proliferation. The foreign target must be reasonably believed to be outside the United States. It cannot intentionally target any U.S. citizen or any person known to be in the U.S.

But Then ...
The dissemination of information "incidentally intercepted" about a U.S. person is prohibited unless
it is "necessary to understand foreign intelligence or assess its importance, is evidence of a crime , or indicates a threat of death or serious bodily harm." (emphasis added)

(The "evidence of a crime" is exactly what makes it a warrantless search of "papers and effects" under the 4th amendment to the constitution).

For our non-US readers, I'll reprint from the US Bill of Rights - Which were attached to the constitution before it could be adapted:

Amendment 4
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches
and seizures, shall not be violated, and no warrants shall issue, but upon probable cause, supported by oath or
affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

This is the supreme law of the land. It demands both probable cause and specificity in warrants. A judge issuing an order, congress passing a bill, or a president supporting or expanding violations of it, is not supposed to be able to change or supersede it.

I don't like the government tracking me. One of the corollaries is: I don't use EZPass (RFID toll-road payment; other names outside the NE U.S.). So about two months ago I cross the Henry Hudson Bridge at the northern tip of of Manhattan, and realize there's no toll booth---now there's a sign assuring me they'll mail me a bill. (With, I might add, no indication that this is the case before it's too late to get off.)

Now, it's been seven weeks, and nothing's shown up in the mail. Maybe they only send them out quarterly? Or the license-plate recognition was on the fritz? Or are they simply lying about it, figuring the number of us without EZPass aren't worth the trouble. None of this makes me happy; where'd I put my New York road map?

There's a slightly interesting inversion here: European security agencies have been pressuring telecom providers to retain records indefinitely so that they can be searched and requested whenever authorities decide they need to; US security agencies are (if the descriptions that have been published about what's done with the metadata) snarfing all the record in real time and then storing it themselves.

Usually it's the US where you outsource to contractors and the EU where governments do it themselves.

the best way to thwart this? To send a SLEW of false positives (red herrings) out there. A bunch of limp emails, texts and posts out there peppered with "provicative" references (Muslim, Communist, jihad, overthrow of the US Government, etc. words/phrases out there. Yeah, they have lots of computers and algorithims out there. But it costs billions to do what they do. Give them SO MANY false targets to hit at that they can't sustain the effort. We can all be fiction writers in a good cause. THE good cause. Saturate them w/ bad intell. We are the mighty. We can make them the few.

"OK, legally US spy agencies aren't legally allowed to spy on US citizens, and UK spy agencies aren't allowed to spy on UK citizens. But is there anything that would prevent the US from spying on UK citizens and providing that information to the UK, and then have UK spy on US citizens and provide that information to the US?"

We believed the NSA used this trick to get around domestic spying laws with ECHELON. Basically, they would put a UK national at the end-user terminal and he would press the buttons and pass the data to his US counterparts as "collateral intelligence." There's no reason why that practice wouldn't continue, although it seems that in a lot of cases the NSA just did away with the middleman.

"The people I know that are under 30 years old do not care about this. Info Sec professionals have failed to help them understand why this matters by making a real-life case without hysterics or far-fetched hypotheticals."

I know. This is probably our greatest challenge. Even with the older-than-30s, it's hard to have a rational discussion about security trade-offs when you're scared.

It's possible he's both. I'm impressed he did what he did, but I'm not optimistic that it will be the change catalyst he's hoping for. And we as a society are not kind to whistleblowers, even when we agree with their politics.

What's also chilling is that this comes on the heels of the IRS scandals surrounding its:

Demand of medical records on millions of California residents

Targeting of Obama's political enemies for disruption and or persecution

Those scandals, as Richard Fernandez wrote, showed how our current leaders intend to deal with their political enemies.

What's scary now is how this shows what the regime is capable of doing.

----------------------------------------

Bruce: I ask you also mention the NSA's collection of credit-card-transaction data. By being able to collate data on phone calls, locations, money transfers, and the plethora of data it receives via the internet channels ... they can piece together a comprehensive picture of EVERYTHING.

Combine this with the intention & capability for treating political enemies as one wishes, and this is just terrifying.

If this Snowden person had only described the extent of data requested and received by the NSA from private corporations, has he committed a crime?

What law has he violated if he has contradicted the statements of the intelligence agency heads and merely caught the civil servants in statements "economical with the truth" and just short of perjury?

If the authorities can't point to a technical means or individuals in danger - what is the harm to national security - since the terrorists always assume we use the same charming methods as the Saudis and the Egyptian secret police. . .

Unlike Private Manning, I haven't seen individuals or methods or private conversations of our diplomats on the disclosures (I might have missed something on Snowden's data dump)

I'm just curious on that - I don't want to grind an axe on this, but all the legal jabbering . .it would be nice to get some clarity on all of this.

Great article. The guy points out well what a lot of people are figuring out: there are no controls on these systems. Snowden's access proved that.

Senators, house members, the President all saying there are strict controls when security people know -- there is no way they can know that.

Snowden coming forward? He is a walking sign board for that very message.

However the government wants to spin it they not only performed these clearly illegal operations gaining a select few immense power of total surveillance -- but they were deeply irresponsible about it while doing so.

First of all, you either leak or you don't leak. If you leak, they *will* find you eventually. Most press leaks aren't "real leaks" but rather administration or corporate officials that are speaking off the record. In the short run, you might get away with stuff, but in the long run, they *will* catch you, and Snowden of all people should be quite aware of how much surveillance there is.

Second, what's the point? The way that the powers that be keep you in the system is that they give you a nice and comfortable job, and they may you afraid of losing it. Also the longer you stay "in the system" the more you become accustomed to it, and the longer the system starts changing you. If Snowden had stayed another decade at BHA, I'm pretty sure that he would have started to believe that what they were doing was necessary and right. If you like your high paying job in Hawaii, you start thinking up rationalizations and excuses for why what you are doing is right, and you start making compromises, and after a while you turn into someone that belongs to the system that you once opposed.

If you play by their rules, you are playing a losing game, and so you have to change the game into one in which you can win.

The one big piece of leverage he has is someone that no one has mentioned. He has a laptop, with a ton of data that the Chinese military and intelligence services would be interested in. If the HK Police take him into custody then within an hour his laptop and all his data will be in the hands of Chinese military intelligence, and I'm sure there is a ton of interesting stuff there. So if the US wants to avoid that happen, they have to keep him out of custody.

Also, why should he trust reporters? They are often in bed with government officials. I find it significant that the two papers he did leak this information to were the Washington Post and the Guardian, and he kept the New York Times out of the loop.

One reason I think it is "causing problems" is that usually when something happens the press and the media already have a pre-canned response, but in this case, the standard talking heads are all over the map with this one.

Something that people I haven't seen discussed is the obvious question of how all of this helps fight terrorism or other bad stuff. All of this surveillance started during the Cold War to fight the Russians and make the world safe for freedom and democracy. But what exactly is the *purpose* of this surveillance. It's not effective counterintelligence against China, and I thought we announced that we won the war against terrorism.

The other question that comes up is that people are reacting to this by saying that it's legal. Yes it is, but maybe the law stinks.

Something else that's interesting is the apparent need for secrecy, and it's interesting to compare it with China. China has this extensive internet monitoring system, but it does nothing to make it secret and in fact is quite transparent that all of this exists. The reason for this is that the purpose is political control, and if you know that you are going to be monitored online, then you will change your actions and use much more inefficient mechanisms of communication.

So you have to ask why it is necessary to keep the US/UK system secret? Yes if the "bad people" know about it, they will attempt to circumvent the system, but if you've thought things through, then when people try to circumvent the system, you will have met your objectives anyway.

One thing that I find curious is Stasi. There are two noticeable things about Stasi. First is how much information they collected over the most trivial things. The second was how this information turned out to be completely *useless* at keep East Germany from collapsing. What ends up happening is that you have bureaucracies that exist for collecting information for the sake of collecting information, and the fact that this information turns out to be useless and that the people collecting them are incompetent tends to be forgotten.

Regarding whether the UK could spy on US citizens and turn that data over to the US, NSA is part of DOD and must comply with DOD 5240.1-r. Chapter 3 sets limitations on the retention of data about US persons, regardless of who initially obtained the data.

The PRISM story was grossly misreported, and the hyperventilation that followed has rendered it useless for public discussion.

On the other hand, the Verizon story seems to indicate a poor balance of civil liberties to security. US legislators can fix this by revising the Patriot Act.

US citizens should write their congressfolk, being clear that their votes will favor those who help rewrite the Patriot Act, even if the result is a major increase in terrorist events in the US. Anything less than that is unlikely to persuade a legislator. They need to know they are protected if they dial back these broad accesses and if the result is then a clear increase in terrorism, with demonstrable cases that would have been prevented with broad metadata monitoring. Speculating that such an increase won't occur loses the argument in the legislator's eyes, even if you happen to think your speculation would turn out to be correct.

No matter how fervent your belief, claiming that these methods don't work is largely an argument from ignorance, where you are up against counter-arguments that you won't see and that will at least appear to the legislator to be informed.

One point, under the Immigration Ordinance, the Chief Executive of HK and detain and/or deport any person without right of adobe. The US can request extradition, but if Snowden was say, a major drug lord, he would have been arrested by now by HK Police.

About regulations. If the only thing that keeps people safe is a DOD regulation, then it's worthless. The problem with relying on a DOD regulation is that it's possible (and in fact easy) for their to be a secret regulation that overrides the public regulation, or for someone to get a official exemption from said regulation. Also, there are serious bad consequences to violating a Congressional law or a judicial ruling. The consequences for violating a regulation are often much less severe or could in fact be non-existent.

Nope nope nope. Not how it works. Individuals do not have to justify their rights to the government. It is those who would violate the rights of the individual (i.e. agents of government...as that's all government is, the legalization of things that if an individual did them, would be considered a violation of someone's rights) who have to justify their authority.

Individuals acting in their private capacity have a right to privacy. Government does not. Quite the contrary, actually. Government has no "private capacity". By it's very definition government is supposed to be "public". Things done under the auspices of "for the people" have an obligation to demonstrate sufficient need for even the slightest bit of non-transparency.

Government has no rights. And agents of the government have no more rights than anyone else. They in fact have an extra burden...and obligation to serve the rest of the public. (Hence the name "public servant.") Agents of the US government in particular swear an oath to uphold the Constitution...a document whose primary purpose is to restrain and limit what government can do.

Comparing the state to the individual, and implying that government has "rights" as people do, is just nonsense.

I dont konw about you guys but my take from all this is that individuals must revert to creating their own disinformation. When all communications are monitored collected then our only option is to recreate uncertainty by deliberate muddying of all sources of the collected information.

We all need to be simultaneously, hideous flawed individuals and saints that create equally confusing metadata stamps full of physically impossible connection information.

"It's possible he's both. I'm impressed he did what he did, but I'm not optimistic that it will be the change catalyst he's hoping for. And we as a society are not kind to whistleblowers, even when we agree with their politics."

Appreciate your clarifying it. I agree on whistleblowers. They need more protection and support b/c how else can secret groups be kept accountable.

One thing that seems to be missing from a lot of the discussions is the simple fact that NSA is part of DOD, i.e., it's part of our military.

There are unfortunately many instances around the world of militaries that attack their own citizens, e.g., Syria. A year or two ago some military units and individuals in Libya attacked their own people, while others refused or defected. The military apparatus in Myanmar and Thailand has attacked and killed scores of their own people in recent years. And there are, sadly, so many more countries and incidents.

In the case of NSA data harvesting, nobody has yet been killed. But the difference is in degree, not in kind. It's still a turning of the nation's military on its own citizenry.

This is Kent State with bits in place of bullets, on an enormously greater scale.

The Slate essay Jack posted was nice. Seems to be a good assessment of the situation: like all the Wikileaks and Lulzsec stuff, the current situation is just more evidence that the US govt can't do the job we are to trust them with. The can't keep secrets, their systems get hacked, malware hits UAV computers, they have personnel issues and so on.

There are private corporations that manage their INFOSEC affairs better than the US govt does classified and sensitive operations. Yet, US govt insists giving them tons of private knowledge and control will allow them to solve issues for US they can't solve for themselves. Sure, sure...

@ RobertT

Disinformation might help. I think the uptake of it would be too small, though. Something like Tor, Freenet or Mixmaster where it's built in is more likely to work. Plus, if disinformation became a problem, they'd probably just pass laws allowing fines or jail time for such behavior. This would limit it further.

1) Chapter 3, covers only US intelligence components
2) It allows holding of information for 90 days (which is interesting since that seems to be the length of the Verizon court orders).
3) It has a very broad exceptions provision

Nick P
--Proving disinformation has got to be one of the most heinous examples of legality gone wild and is impossible. If or when that happens the human race will experience even greater crackdowns on freedom of expression; and creativity and learning will take yet another hit. Perhaps they should enforce the law stateside b/c if that becomes law then I have evidence of such behavior; and how extremely disappointing it is.

NEWS FLASH: IF YOU USE FB or ANY OTHER SOCIAL network.. you don't have privacy. What is important is what these companies do with the information we entrust to them. Oh, but US government is different.. NOPE you voted for the reps that put Protect American and Patriot Act in place.

I agree that there needs to be transparency and accountability and its waaaay to powerful with no checks and balances that are apparent. But I think its naive to think that we should release all information on all classified data to the world.

We need a system like this to detect patterns of potential threats.

The real tragedy is that Mr. Snowden has to now run from the place he used to call home or face prison to get people to realize the extent of damage that the PATRIOT/PROTECT American Acts has done.

ps. Manning is risk the lives of many people that were still on the ground in Afghan/Iraq by releasing that stuff. Then he bragged about it. Vote of no confidence.

I'm under 30 and I certainly do care about it. The problem is that there is relatively little you can do against it.

Spy agencies simply need access to this kind of data, believe it or not, I do think certain foreign governments would love to control or subvert our society. So those agencies must be able to quickly obtain data about certain individuals (with or without court orders, as long as it's really fast). If not through one (potentially hackable) universal access system, though individual agents implanted in the relevant companies. They have been doing that for ages. If for example an European version of the CIA needs some data about an european, they send a request to the NSA. (If a justice department needs it, they file a subpoena.)
The problem I'm having is wholesale surveillance, tapping everyone and correlating it (comparable to the Machine in Person of Interest).
It certainly is some beautiful piece of technology, but it reduces our humanity and stifles progress (after all, progress is usually vs status-quo).
Please note that those companies are already correlating your data, so it isn't that far a stretch, but at least they do have your interests in mind (literally ;) ) and have some laws to follow.
With Google already building a quantum computer, it's likely NSA already has one or is very close. Giving them more tools to sift through all that data.
Please note that this is data, not true intelligence. The best way to defeat an enemy is to know him, to understand him. (Art of war, I guess)
Simply having some computer pointing you at a risk isn't intelligence. If you know your enemy you know where to look, who to spy on, which leads to follow, which people to monitor. Then you won't need wholesale surveillance.

If people knew how to act when criminals attack, all that surveillance is irrelevant. (or terrorists, lets just call them criminals for a change)

I assumed the NSA would have a system in place that allowed them to quickly tap or retrieve data about anyone from those companies. I didn't think it would simply be streamed to them, but that isn't a big stretch.
Btw. a commissioner of the European Council first said it (PRISM) was an Internal US matter. Then later admitted they were concerned about the privacy of Europeans and would investigate... as if they didn't know already ;)

Suppose China ends up "subverting" the United States. Why would this be a bad thing? Well, China is ****eevvvvvillll**** because they control access to the internet.... But if the United States really monitors internet traffic too, what really is the point of preventing this sort of "subversion"?

Living close to Mainland China is interesting because you figure out that most people in Mainland China really don't mind living in a fishbowl. I mean, the government really isn't that bad. Shut up, mind your business, and make money.

Everyone is used to it, and really life isn't that bad. But it's because everyone is used to it that's a bit troubling. I suppose the thing that bothers me a lot about China is not so much that it's a prison camp. It's not. But what bothers me is that the restrictions that do exist are just taken as normal, and it doesn't bother people. This isn't 1984, it's Brave New World.

What really bothers me is that no one has really given much in the way of a description of how this really helps "fight the bad guys." I'm not even sure who the "bad guys" are. You know this person Osama bin-Laden. Last I heard he was dead. And China? Well if the US has to copy China to fight China, then I don't really see the point.

One thing that I find funny is the reaction of most Chinese people that I've talked to about this. There is a lot of disinterest about this news. The basic attitude is "you really thought that your government wasn't spying on you??? at least ours never tried to pretend that it wasn't."

Who exactly is the enemy here? What exactly is the *purpose* of this surveillance now the the Cold War is over and bin-Laden is dead?

How Glenn Greenwald Began Communicating With NSA Whistleblower Edward Snowden

...."Snowden only wanted to communicate securely using PGP encryption, for which Greenwald didn’t have the proper software installed at the time. In an interview with The Huffington Post, Greenwald acknowledged that he's no expert in using such technology and said that Snowden even provided a step-by-step email and video to help secure their communication. At that point, however, Greenwald didn't know what his would-be source had (or didn't have) and continued to prioritize other stories instead...."

@NFN_NLN
"Law abiding citizens have nothing to worry about from transparent government."

Will this affect the "average", law abiding citizen? Generally no, except in three instances:-

Accidentally. Tuttle can be misread as Buttle, and tires misheard as aeroplane. Has happened.

Deliberate recruitment. You could be blackmailed into working for government interests, either by using real facts or with false evidence. Unlikely to be a tactic restricted to the FBI.

Collateral damage. You or the company you work for might play a role in the NSA mission to maintain an US business advantage (or advance the business interests of an influential US politician). Alan Bond and Chilean Telecommunications. Likely many other instances where inside information would be used to advance commercial interests. (cough*BAH*cough)

@Nick P
Of course he's a fool! It's a basic requirement for heroism. If he wasn't a fool he wouldn't have taken the job - or become a (pragmatic) sociopath.

Long live fools like Snowden.

Perhaps your experience in a similar position was different - mine was not. If you are willing to question the system you generally do so at a local level first, as whistleblowing doesn't come naturally to most. Having failed to get the response you seek at a local level, in that sort of job, most people moved to take the next step and leak might think they have the fibre to go into silent running mode and tough out the search for the leak but I'd guess few would be capable (the same quality the motivates someone to speak out probably means they'll fail a lie detector).

Well said, thank you for the thoughtful response. I hope everybody reads and retains your comment, because I'm sure there will be others who actually try to argue along the same lines that I mentioned (even if it is nonsense). To clarify, I didn't mean to suggest that this is a valid argument, just that the pattern is there for someone to latch onto and so anyone making that argument should be careful about this. And now by careful, I mean armed with your well stated argument.

(Sorry, I think parts of this comment may sound snarky or sarcastic, but it's not intended that way).

Over this past weekend, I had compiled many of the news stories---along with some NSA history---into an easily accessible, comprehensive summary of the matter that I hoped would be useful to readers and researchers. Even if you do not care for my summary of the matter, the article does contain 62 references, some of which you may find interesting.

"The problem I'm having is wholesale surveillance, tapping everyone and correlating it (comparable to the Machine in Person of Interest)."

They can not do this. This is a far harder problem then coming up with a perfect firewall, anti-virus, or code review system.

Or, for that matter, having robots replace security guards.

Would you want robots replacing security guards in our current state of technology?

Just imagine how many innocent people it would shoot.

Spying on all of your nation's systems is not a new idea. It has been happening since tyranny reached the modern age. Almost as soon as phone lines were put up, they were tapped. Before that, they were tapping telegraph lines.

There are many sources to study on these sorts of policing agencies. Nazi Germany had their Gestapo. The Soviet Union had the KGB. Cuba had a very strong system of watching people. The Stazi had a strong system. And so on. The US did, too. And there are countless such systems in the world today. In Saudi Arabia, they have "Morality Police".

There are common denominators to all of these systems. One is they do not and can not have controls to ensure they are misused. They never have. Another is they completely undermine the state. They always have. If you have secret surveillance powers of this scope, you can control any politician, either directly or indirectly. Our Presidents only served four years, and had to be elected. Some served multiple terms. Hoover, who was engaged in widespread, illegal wiretapping served over fifty years. No one dared fire him, because everyone (but the American people at the time) knew he wire tapped everyone in Washington.

Snowden is a walking billboard that there are no controls in place.

Obama, senators, representatives, heads of intelligence are all swearing up and down the system is perfect and has strong controls. Snowden is walking proof that is a lie.

But, **everyone** from - factory workers to lawyers - understand deep down, none of those people have the qualifications to know that the system is secure in the first place.

They might as well be swearing that Mars has human inhabitants on it.

Historically and globally, every time a system like this has been created and controlled it has been used for political control of the country. There are no exceptions to this rule.

And even in Nazi Germany they said it was to protect the country and the people.

Why stop there? Wives should have access to everyone husbands call, and
all of their facebook messages and friends, as well as all of their
internet traffic. Husbands should too. Parents should spy on their kids
and record all of their traffic.

Your boss should spy on you, and you on your boss.

Better yet... what if you could spy on everyone else, but they could
not spy on you.

Think of how you would be tempted to use that data.

Is the math head splitting here? I think not. People know truth from
lies, even if it can be hard to put it on paper. I think everyone
natively understands this is a Bad Idea and recording everything,
spying on everyone is a Bad Thing.

What next, "Oh, come on, the fruit won't kill you, you will have
knowledge and be like God"?

"The poll also suggests a partisan bent to view on this issue over time. In 2006, 75 percent of Republicans found it acceptable for the NSA to tap into phones and emails without court approval to prosecute suspected terrorists, while only 52 percent are OK with it now. Similarly, Democrats view today's NSA phone surveillance as acceptable by a margin of 64 percent to 32 percent, whereas back in 2006 Democrats found warrantless NSA snooping unacceptable by a ratio of 61 percent to 36 percent."

Depressing.

We have a nation of thinkers. Planners.

:/

Obama will always be in the White House. And, anyway, this system is easy to take down if they decide later they do not want to live in a surveillance society.

Security workers have a responsibility to issue security concerns to supervisors. Unfettered access is a security concern. I would say a big one. [I think that is an understatement.]

Money is an issue, but people do not normally assume everyone is that corrupt. In fact, a lot of security issues like that could mean blowback for the contracting firm later on.

Even if they know they are that corrupt, they may feel an obligation to do their job.

'If Snowden was wise, he would know they didn't care and that this would only red flag him as a possible risk in future counterintel analyses.'

He could of come of as he likely was: sincere and concerned. As, I think, most people in his position would be. He likely would not be treated to greater dirty secrets by speaking up. Only a true incompetent would suspect he was a spy in a future counterintelligence investigation (about what would be totally someone else).

When individuals have been wrongly targeted for severe counterintelligence investigations it rounds down to coincidences, not "he had a conscience and was upfront about his concerns", nor "he has a history of being an honest man".

Counterintelligence people are people readers and have sensitive bullshit detectors. Honest people flag do not flag them. Usually moles have social problems, even if they are also sociopathic manipulators and charmers. What they engage in is just that severely anti-social. Snowden is not a mole.

'Snowden had to go public because they would have figured him out'

Maybe. Apparently, they gave this data to a lot of people.

But, could it not be that Snowden, who really was a nobody, was deeply overpaid, had very little experience or skills.. finding himself in control of systems that delivered to him such immense power... found himself deeply under the need to do exactly what he did?

Everyone has those times when they can choose to do the heroic, or to go along to get along and be cowardly. He chose the heroic.

Whether Snowden understood this consciously or not, the fact is the greatest disclosure so far is him. His story and his own self is a walking billboard that these systems have no controls.

I rather doubt Snowden has anything of much value on his laptop, maybe just a bunch of FOUO documents, which are hardly secret. Any cleared person knows how strictly controlled access to classified systems is: no laptops, jump drives, cell phones, etc. are even allowed in the same room, so no way to get data from them to a personal laptop.

Does the NSA have the private keys of the major internet service providers?

Try this for a scenario. NSA forces major ISP's to provide some sort of security weakness in order to them to make it easier for the NSA to snoop on this. It then turns out that some other major power (say China) is able to exploit this weakness to do cyberhacking.

A lot of Chinese cyberhacking comes through through some brain dead simple security holes that I've been wondering have been left open for a long time (i.e. using http rather https for spoof attacks). Suppose Snowden has a document in which the NSA pressured an ISP not to fix a security hole so that it would be easier for the NSA to spy, and it later turned out that this left the US exposed to Chinese cyberattack.

This would explain why he ended up in HK, and why the story has come out now (i.e. all this recent talk about cyberhacking just got him fed up). It if turns out that NSA policy made US tech companies safe for Chinese cyberhacking, it could be embarrassing.

Anyway, we've been promised more stuff, and they are doing a good job of making sure that this isn't a one week thing.

"Proving disinformation has got to be one of the most heinous examples of legality gone wild and is impossible."

I'd agree. It would be scary. What I'm alluding to is something akin to how the government can use anything you put on tax returns or other documents against you if it's wrong. Another thing I was thinking about at the time was how, during Bush-Cheney admin, people whose statements were deemed "unpatriotic" or "anti-government" got on Do Not Fly lists, were harassed by govt, etc. They could set some kind of baseline standard for how people handle accuracy of their data, then cause trouble for people that cause them trouble.

"NOMEANSNO • June 11, 2013 8:58 AM
[pillow at door cracks implies Snowden didn't know spy security]
2FISH - I though people posting here would have a decent knowledge of how things are done. You clearly do not"

Guess this means you are a professional spy, so know the ins and outs of spy tradecraft. So you post about spy stuff on this forum. Because you are a professional.

Snowden was an analyst. He was not a physical security expert. He had a gig as a security guard at the NSA.

Everyone's condemnation of him confirms he is legit, as is the information he released.

A big problem exposed is that he is not very qualified for the access he had.

"Security workers have a responsibility to issue security concerns to supervisors.."

This isn't a security concern. The whole business model of Booz Allen Hamilton is helping government agencies do what they want to do. He was opposed to the whole [profitable, deemed necessary, popular and implicitly OKed by Congress] operation. In a nutshell, he was saying the defense contractor should tell the NSA to change what it was doing, refuse their contracts, or something similar. It would be company suicide for them. It wouldn't happen. Ever.

"Only a true incompetent would suspect he was a spy in a future counterintelligence investigation (about what would be totally someone else)."

A [very-near-]future investigation of a leak where he had access. Suspecting him wouldn't be incompetent: it's standard operating procedure to consider all who have access. Plus, govt (esp FBI) has identified certain behaviors that might indicate a person will cause the organization trouble. His access plus his behavior would increase the scrutiny he received.

Look at it this way, there's an unknown leaker with high access to PRISM program who had to act because "it was wrong" and there's an employee with high access to PRISM program telling his bosses/colleagues "it's wrong" and advising an end to it. Come on Jack, you wouldn't think the guy might be the leak? Those dots practically connect themselves. And in the intelligency community, such suspicions can result in action against you.

"But, could it not be that Snowden, who really was a nobody, was deeply overpaid, had very little experience or skills.. finding himself in control of systems that delivered to him such immense power... found himself deeply under the need to do exactly what he did?"

Oh yeah. There's always psychological motivators. There's no shortage of reasons people might give themselves to take action against something, for better or worse. People like to be popular, important, or see themselves as having/accomplishing purpose. So are we talking about heroism or vanity? Maybe he was a nobody wanting to feel he did something important (vanity). Maybe he had the opportunity to courageously take action to change things for the better (hero). Hard to tell the difference sometimes. Only time will tell.

"His story and his own self is a walking billboard that these systems have no controls."

That seems true. They have fewer controls than they need, I'll say. If they had none, we would have known in 2007. ;) I'd hope something good comes of it far as operational security goes. I have doubts. There is so much momentum behind how the current system works that it's hard to see one event changing its course. Which i describe in my next general post.

twofish • June 11, 2013 10:56 AM
Some more evil thoughts:
[NSA forced "an ISP" to put security bugs in their code so the government
would have a backdoor, and China found this and got in through that way.]

:-)

That, is an interesting question. :-|

The NSA does code reviews for sensitive systems, where and when they can.

In putting in a backdoor, all they would have to do is leave open vulnerabilities
they found in that code review. It would be foolish to actually tell anyone
anything.

"Unfettered access is a security concern. I would say a big one." (Jack)

I agree. Many readers might be wondering "whats going on?" It's not as nonsensical as it sounds. Access is a tricky subject. I've studied so much into government classification, security schemes, and their history I have an idea of how this can be the norm. Let me share a few pieces of it and maybe it will make sense for people. One must understand what leads to the current structure and problems before they can improve it.

The Reason for Overprivileged Access in Defense

The problem started back in the days of timesharing machines when the Orange Book was calling for MultiLevel Secure systems. The idea is people with different access requirements could all use the same system with least privilege, not leak anything to each other, and still get work done. The best systems still had covert channels that allowed leaking at a slow rate.

That approach was derailed by something called Commercial off the Shelf Technology (COTS). It's benefits included quick time to market, steady feature upgrades, low cost, large labor supply and integration with plenty of products. The Government off-the-Shelft (GOTS) and commercial high assurance products didn't even compare in features, usability, price or ease of acquisition. And a secure system product update could take several quarters. So, the govt focused more on features (incl security features) and extensions to COTS OS's/products than assurance of secure operation.

This posed a major problem. A product must be MLS mode to have mutually untrusting users and proper access control. However, without implementation assurance, any MLS features could be circumvented by malicious users or administrators. So, most MLS type systems on classified networks ran (and still do) in what's called System High mode. This means everyone on the system is cleared for the highest level of secrets that might run through it, but don't necessarily need to know all of it. (Not authorized, but cleared.) Short version: you have to trust them way more than you want to.

And that was before massive decentralization of client apps, the Internet, USB drives and all the rest. The move toward more COTS meant more subvertable software, more complexity, more integration points, and more setups that were basically System High. I mean, how do you administer a system that has all types of data running through it without potential access to that data? And at every enclave, every network, every integration point, every branch? The problem was more than they could handle using COTS. So, they just extend the System High concept for networks where they decide the functionality they need is more important than assurance of separation or security control.

(Note: There are problems associated with the classification scheme itself, competition rather than cooperation between agencies, sharing with Allies, and so on. I'm ignoring these b/c what few points I mentioned are already nearly insurmountable for an organization like DOD. The rest just... make things worse.)

That was the technical and military/govt management side. What of possible corporate issues with contractors like we see outside of defense? We see companies that want more profit cutting back on things that hinder their operations, like inconvenient security. We also see security vendors focusing more on revenue-generating products and services rather than real security. We also see mismanagement and bureacracy causing security issues in the form of risky procedures and overprivileged insiders. I *speculate* that defense contractors have these problems as well, although I know not the degree. They can independently lead to issues like Snowden's broad access and, combined with government's problems, I imagine even worse can happen.

Now for the 180: Defense can trust their insiders

It might stun regulars to see me of all people say that. My studies showed me the strongest link securing classified information are the people and procedures for handling it. And that scheme works. How can I say that? The proof is in the results. There's a huge number of people with Secret and Top Secret clearances. They have access to an ENORMOUS amount of potentially damaging information. Yet, you can count the number of serious leaks on your fingertips and I can't see much operational damage done by most of them. So, although I envision and design "better" approaches, with technical aids, their people-centric approach works the vast majority of the time. And that's all a defense organization can really hope for, isn't it?

Conclusion and my current stance on classified INFOSEC

The combination of information sharing, system/network consolidation and massive use of COTS solutions makes technical approaches to maintaining secrecy of DOD's data infeasible. Their main strategy is to use a combination of disciplined personnel and controls (procedural/technical) to identify, manage and delay the release of potentially damaging information. This strategy has worked over 99% of the time for over half a century. Any improvement or replacement of the existing system intending to accomplish more should incorporate the strategies the current system used to achieve its success.

It looks like it will be an interesting story. Sounds like he disappeared.

There are a lot of leaks these days. When this happened in the seventies, it led
to Watergate... and watergate led to the great flood. I wonder if they have really
gone back to their old ways, and maybe even worse.

If they catch him, he is trouble. If he runs and stays communicating, he is trouble.

If he went to the Chinese embassy, he is trouble.

China must be loving this story.

"His story and his own self is a walking billboard that these systems have no controls."
That seems true. They have fewer controls than they need, I'll say. If they had none, we would have known

in 2007. ;) I'd hope something good comes of it far as operational security goes. I have doubts. There is

so much momentum behind how the current system works that it's hard to see one event changing its course.

Which i describe in my next general post.

There usually are not leaks in such programs, because people are too scared to leak.

You know they are illegally operating surveillance. And you know you probably are being
watched all the time.

It takes a lot of gall to do a Falcon and the Snowman sort of thing.

Though, in that case, everyone grew lax and "the Snowman" saw it, so he knew he had
nothing to fear. They were incompetent, though scary.

It was only a matter of time.

The US was doing all of this sort of thing for decades before they lost control in
the seventies. I do not think they resisted leakers simply because the climate then
was much different.

Though that must have been a major factor. The sixties opened a climate of leaking for
conscience purpose.

-> Isn't most data which is classified really very boring and useless to the general public? So could that skew your results?

-> How can you quantify how much data which is classified that is very interesting to the public, but the public has not found out about?

-> How can you quantify data loss to foreign nations? They would find a lot very interesting which the general public would not find interesting. Beyond moles, which I would guess are relatively rare, there is going to be idle talk and secret surveillance from foreign nations on known workers.

Everyone has heard stories about how spies have frequented leisure spots near highly classified installations. Beyond that, they can simply wire those places.

-> My understanding from talking to people who have had top secret clearance is that they generally do not talk because they have to take a lie detector test every month and piss tests. There are controls on drinking, debt, and so on. And they are made to be wary that anyone could inform on them, or they could be tapped anywhere.

Right, wrong, what say you? :-)

(And if you are in REALLY hairy stuff... then take that threat a few levels higher. :-O )

After Saint Snowden's revelations the men in power will do what they always does, discredit him. This will be mostly lies, which is SOP.

The question that no one I've seen asking yet is:
"What is the real motivation for this (beyond) orwellian surveillance?"

"To hunt down terrorists" have been the official version after 9/11.
But I don't buy that this is the primary motivation.
If would be the ONLY motivation, why not get a warrant for a specific suspect?
Their defence against obtaining warrants first, is that it is "inconvinient".It is SUPPOSED to be inconvinient!
Officals point to two successful operations where terrorists have been thwarted.
What is the return on investment (of tax dollars) now?
What is the ratio of "hits" vs "misses" here?
How many innocents have been caught by this dragnet, who may never be able to hear about it or defend themselves?
When will we all (non-terrorists) be able to clear our name from these databases?
Are YOU "presumed innocent until proven guilty"? Not anymore! Have not been for a long time.

The desire to wiretap all humanity existed before 9/11, which Bruce and many commenters have expressed. The list of acronyms for all clandestine surveillance programmes is long. After PRISM is outed, it will just get another name.

Alternative motives:

1.) Economic espionage may be the biggest incentive.
The NSA has been suspected of providing an unfair advantage to private US corporations under the red herring of "national security".
The reasoning behind this rationalization is "it's more important for US corporations to increase profits than to live up to trade agreements."
George J. Tenet and James Woolsey tried, unsuccessfully, to convince everyone that "we play defence, we never play offense, and we never will play offense".

2.) Actual bona fide political espionage à la Watergate.
While this is still a very sensitive subject, some people may not be reluctant to engage in political espionage. The mindset of the Tea Party is clearly positive to political espionage. I would welcome an (informed) explanation on why Obama is worse than Bush on warrantless wiretapping.

3.) Keeping track of dissent.
Whenever a grass roots movement gains momentum and threatens Wall Street's profits, like ATTAC, some agent provocateurs show up in their midst and reduce the movements credibility. This is SOP. This will happen in groups that promote anonymity, free speech and cryptography. Protect your group by putting up a charter and oust anyone that violates it. I suggest the first point of that charter should be NON VIOLENCE.

If YOU dislike beeing spyed on and express this, then the NSA feels threatened because if YOU wote for someone who wants to stop programs like PRISM, then you are threatening their income! Purely out of self preservation they will react against you, and at the same time violate their oath to protect you and the Constitution. So, there goes the First Amendment out the window.

Have YOU admitted to a crime in a supposedly private conversation on internet or on phone? Then you may start preparing what to do if you are confronted with your own words. Previously these types of evidence was always secret, but now when everybody knows about PRISM there will be less hesitation to use it against you.

If Congress asks how NSA are screening applicants, in the sense of not letting people like Saint Snowden in, then Congress asks the wrong questions.

The real question is instead:Who does a better job at protecting the Constitution?
POTUS, NSA, Congress or the wistleblowers?

Saint Snowden has clearly acted in the best interest of the US, and the world.

"-> Isn't most data which is classified really very boring and useless to the general public? So could that skew your results?

-> How can you quantify how much data which is classified that is very interesting to the public, but the public has not found out about?

-> How can you quantify data loss to foreign nations? They would find a lot very interesting which the general public would not find interesting. Beyond moles, which I would guess are relatively rare, there is going to be idle talk and secret surveillance from foreign nations on known workers."

I said it's about keeping damaging information secret. The whole point of the classification levels is protecting information that might have a negative impact on US safety, operations, etc. It seems to do that well enough. What is "interesting" to the public varies by person, interest group, and time period. That's harder to say.

"-> My understanding from talking to people who have had top secret clearance is that they generally do not talk because they have to take a lie detector test every month and piss tests. There are controls on drinking, debt, and so on. And they are made to be wary that anyone could inform on them, or they could be tapped anywhere.

Right, wrong, what say you? :-)"

Sounds on the mark. ;) It's also consistent with my notion that the people (and discipline/motivation) are the backbone of keeping the secrets. Throw in compartmentalization, need to know, and extra measures for SAP's, then you have quite a program that's still centered on those people's reliability. Yet, it seems to work most of the time.

"And if you are in REALLY hairy stuff... "

Someone into really hairy stuff should dig hard into memoirs of covert operators and intelligence directors; declassified documents like MKULTRA and Northwoods; Congressional investigations like Iran-Contra and MLK assassination; links between politicians and elite companies/individuals who don't have people's interest at heart. Collectively, there's enough to make anyone's hair fall out.

Safe to say, most people just stay out of that world and imagine one that's quite predictable with two political parties, a legal system that mostly works, a future for college graduates, socio-economic problems that will work themselves out, and so on. It's so much more peaceful to live that way.

(Funny to think our conversation leaned toward such a tangent at the same time Bruce posts on conspiracy thinking. The coincidence is to be expected considering what's in the public consciousness and it's connection to conspiratorial thinking.)

:-) Yeah, I have to check out some more books. I have read quite a few -- zig zag, mitrokihn archives, enemies, deceiving hitler are some of my favorites. Spy Wars gets really intellectually challenging. American Spy is highly entertaining. Family of Secrets, though in a very different category, is also very entertaining.

I was meaning, though, more street talk: one of my friend's grandfather was in the mafia, and the CIA picked him up during the war. Whatever they had him doing, he was disillusioned. They were doing the same things the mafia was doing (which he just happened to be born into).

Whatever it was, it was hairy, and in his retirement he was very reticent, paranoid, disillusioned.

"(Funny to think our conversation leaned toward such a tangent at the same time Bruce posts on conspiracy thinking. The coincidence is to be expected considering what's in the public consciousness and it's connection to conspiratorial thinking.)"

Well, isn't conspiracy theories kind of a main focus of the blog? I mean, but in a respectable way.

I typically use the word "conspiracy" in a positive meaning. It can just appear threatening from far away in positive cases.

People conspire together to do good, people conspire together to do evil.

*shrug*

Theories are basic stepping stones to truth. But you have to consider all sides of an issue, and respect the difference between a "theory" and fact.

[Terrorism not a believable motive for these total information awareness systems]

'Possible motives'
'1.) Economic espionage may be the biggest incentive.'

Soft money returns via the intelligence given by the gov to cooperating corporations can be attractive.

It is true that there have been corporate-US Gov intelligence ties all along. This is well documented.

At least, it is well documented during the forties, especially.

Is the US Gov going beyond soft favors to helpful corporations? Maybe. They could be outright spying against them. Though there is no evidence of this nor history of this behavior in a Democracy that I am aware of.

State based systems are a different matter. China and the old Russia both have engaged in massive foreign economic espionage. The state owns the corporations in those systems.

Those systems also have a hard time innovating so they end up relying on theft.

'2.) Actual bona fide political espionage à la Watergate.
While this is still a very sensitive subject, some people may not be reluctant to engage in political espionage. The mindset of the Tea Party is clearly positive to political espionage. I would welcome an (informed) explanation on why Obama is worse than Bush on warrantless wiretapping. '

There are a lot of articles on this subject, of comparing "how bad" Obama's policies have been when it comes to privacy.

It is also hard to avoid the gorilla in the room -- there are many, many stories about outrageous surveillance actions "by the Obama administration".

Polls today showed Democrats were not okay with spying on citizens under Bush, and Republicans were okay with it. While Republicans are not okay with spying on citizens under Obama, and Democrats are okay with it.

I find all of that foolishness.

Hoover engaged in mass political espionage and *his* term was over five decades. He never got caught, either, not really, until the very last years of his life. He never had to suffer the shame of his actions.

Political espionage is highly likely, considering history and current abuses of these sorts of systems. But I think it is blinding to see it as "Republican" or "Democrat".

It is about the intel and law enforcement circles, not the President and Senators. They are easily manipulated with surveillance.

'3.) Keeping track of dissent.'

Probably. In the twenties to sixties they not only used these powers to keep track of dissent, but also to harass political targets. American Communists were the main target, but they also hit a very wide range of non political power people. MLK was a good example.

"Whatever it was, it was hairy, and in his retirement he was very reticent, paranoid, disillusioned."

He probably saw the reality of the situation. People are told it's right & wrong, we fight for freedom, we protect people from X, etc. Most of the time, it's just politics, money, power, and imperialism. And the methods and affiliations used to protect the status quo are anything but honest or good. A very caring person could be driven nuts if they saw things from the inside or at the dirty streets.

In the book This Machine Kills Secrets, Ellsberg tells Kissinger as he was about to be cleared into the world of Top Secret intelligence:

1. First, you will be exhilirated by the huge amount of hidden facts you have access to.

2. Next, you feel like a fool for having believed in so many lies and illusions most of your life, which you now see for what they are

3. Weeks later, you see everyone else as fools as they still work so hard toward goals based on knowledge you know isn't true.

4. Years later, you might realize the limits of the knowledge as your in a bubble of people you trust. You can't rely on all of the information from people below your level, as they're working with so many lies. So, you have few people you can share information with and learn from.

5. You also realize you have to lie to everyone below you who isn't cleared for the information to protect it.

6. Ellsberg ends with a comparison of the privilege to the potion of Circe that makes men unable to speak or find their home.

Such statements should lead outsiders to believe that night and day is like the difference between what we're being told about most things and what's actually going on. This is not comforting. Your friends' grandfather must have had a similar revelation and burden to carry. And didn't take it so well.

wasnt there a hearing before congress some time back where the nsa, et al, were being raked over the coals, albeit without much or any media coverage, when they were listened to some actress or celebrity? If I remember correctly, bruce even posted about it, espically how it wasnt picked up. It had to do with just the thing the Pres said wasnt done, ie, men without auth listening and spying on americans.

It is in essence a cat-and-mouse game. People who are well-informed, well-trained and highly disciplined can hide their traces for a long time, but - as in the case of Lulzsec's Hector Monsegur - it take's only one slip-up to give yourself away. This can be partially mitigated by running a security/privacy hardened special purpose distribution such as TAILS (that has Tor built-in), or rolling your own Debian or BSD based distro with OpenVPN based Tsukuba Gates, Tor, I2P, Freenet and other communication goodies such as Pigin with OTR and QSLite for use with mixmaster type II remailers . Running from a VM or off a flashdrive is recommended.

While such an approach may be all good and well for cypherpunks and crypto nerds, it definitely is not for people with only average skills in this area such as journalists. From what I read, Snowden had to do quite some explaining to Glenn Greenwald on how to use PGP. It's quite interesting to note in this context that he preferred PGP over the much more user-friendly S/MIME, which for me raises some fascinating questions as to why that would be.

Personally, I would have taken an entirely different approach communicating with anyone over such a highly sensitive matter, but my best guess is that Snowden assumed that they would have been traced rather rapidly, not over his own lack of skills to do it properly, but rather over that of Greenwald & co. In the light of the AP revelations, only one call from the office by Greenwald or one of the others might have given them away.

Why he really exposed himself

In absence of a copy of his HR file/psychological profile from the CIA, Booz Allen Hamilton or other previous employer, we'll have to go with what we have today. At first sight, he doesn't fit the profile of the average disgruntled employee who has been passed over for promotion or salary raise, or is frustrated over being stuck in a position he doesn't like but is being kept in by management because he happens to be very good at what he does. He looks like a clean-cut, soft-spoken intellectual who has considered in-depth his actions and the consequences thereof. He has a job in Hawaii, a nice salary and a cute girl friend, the latter being atypical for the average conspiracy-crazed IT geek.

Exposing himself to me seems like the only logical course of action he had if for whatever reason he thought it was going to be just a matter of time before the NSA or other TLA's were on to him. He had obviously learned some valuable lessons from Wikileaks: Manning had been ratted out by @6 and some of the media that originally published the leaks after a while had turned on their source(s). Rather than awaiting the inevitable to happen or - worse - getting disappeared, he chose to go public and put himself right in the middle of the debate, thus severely hampering any attempt at covert action against him while buying himself time to find a country to grant him asylum.

I am not entirely sure why he fled to Hong Kong. Perhaps he was hoping for protection from extradition under a current loophole in HK legislation, but I'm guessing he did so because he didn't need a visa to go there. Requesting a visa for certain countries without knowledge/approval of management does raise red flags in certain organisations, especially for holders of specific security clearances. Another reason might have been to stir up the debate by exposing the hypocrisy of POTUS and the USG over the China talks.

How should he leak in his position? / Conclusions

I concur 100% with your own views on the issue. There would have been other more efficient and less dangerous ways to go about it. The fact of the matter however is that acts of bravery are hardly ever the result of rational thinking but in most cases are purely emotional, not to say bordering on stupidity by putting oneself (and others) in harms way.

It takes a lot of discipline, courage, control, hard work and constant fear to take the rational approach. I think Snowden didn't believe that he would be able to pull this off and went for a one-time big bang instead, preferring his life to be forfeit rather than taking the risk of getting caught before getting anything meaningful out.

Why did Snowden have so much access? Where are the controls, you say?

The current media debate over Snowden's security clearance is absolutely ridiculous. It's not some sort of magic wand that suddenly gives you miraculous access to all kinds of systems. In most cases, it just means that you've gone through a lengthy and in-depth background check.

The problem is not with the authorities giving out clearances, but with proper implementation, logging and auditing of system/network/application access controls. We all know about MLS, PoLP, RBAC, segregation of duties and the like, but it's a damn hard thing to do and maintain. I've seen some decent ones on missions at certain military customers and at one nuclear facility, but most of the time, well ....

The ubiquity of CoTS's is not the only problem in this regard. Maintaining policies and procedures, tight access control and opsec needs to be managed and controlled from within the organisation, not left to contractors interested in selling more product and services only. Judging from the Snowden leak, the NSA is obviously having a serious problem with that. Not that it comes as a surprise: the NSA being overrun by contractors only in it for the money under director Hayden was exactly what had been previously pointed out by former whistleblowers like Thomas Drake and Bill Binney in the wake of the internal ThinThread/Trailblazer war.

With regard to age, I'm 26 years old, and I do care about privacy. I'm certainly angry about the government spying, none of my facebook accounts use my real name, nor do my Google accounts. I expect everything I do online to be public and treat all such communications accordingly. I use NoScript, RequestPolicy, Self-Destructing Cookies, and other privacy tools.
Most of my friends don't care. Some may say they care, but few take the effort to keep private and public lives separate. It's a LOT of effort! It's just "oh, that's terrible, the government/google/facebook/etc shouldn't do that." and then back to business as usual.

You'd have to be more specific. And I doubt you could understand my history, state of mind, or full beliefs from what few statements I make on this blog in recent times. Feel free to try, of course.
nick Pee
--Nah, I'll be vague as I please; perhaps you've experienced what I have and understand my lack of clarity. Think again, b/c your comments aren't my only sources; much as you think so. This is my coming out party, and I'm not gay. But I want to make physical contact (my specialty) b/c you've been quite the digital bully and a special brand of psychopath.

Not that it matters much (because it seems to be merely a auto-sign formality) but who are the judges that permit these taps/data-mining/snooping/what-have-you and who appoints them? Is there a government entity that chooses judges they know will approve most requests?

Maybe. Apart from transpositional errors, falling asleep at the keyboard, using some else's login, cat input, flawed ISP data, and deliberate data contamination (yes I really am a 17year old girl born in 1958 earning $75pa) I'd expect analyst error and dodgy algorithms to generate a lot of that.
But at least no one is insane enough to believe flawed data can be used accurately predict future events.... oh wait.

Speaking as someone with a good neuroscience education, a whistleblower's the equivalent of the pain nerve in the body. People with inoperative pain nerves, we call them "Sufferers from Hansen's Disease" or in older parlance, "lepers".

Losing the feedback from the nervous system's not pretty. I heard when I was only about six or seven, about a little girl who suffered from Hansen's Disease, who rolled into the fire while asleep one night. Oliver Sacks has some interesting stories in his series of books on neurological conditions. And - much to my surprise - I found that Steven R Donaldson's Thomas Covenant to be medically precise.

That's the sort of analogy that happens to fit precisely what this world-wide set of over-classified Security States is aimed for, although they would deny most strenuously that producing a political equivalent to the medical condition of Hansen's Disease is their intention. It just happens to be the end condition of their current purposes, as much as if it had been their intention all along.

"We don't know how much it uses password cracking to get at encrypted data, and how much it exploits existing system vulnerabilities."

One other big unknown: we need to know what their cryptanalytic capabilities are really like, whether they have any very important attacks unknown to the public. What was the 'enormous breakthrough' Bamford claims they made several years ago? [1]

Just came in to say hi and thanks from Sweden. My company and now many other here, from what I jus heard, will soon be abandoning Google+ and other services provided from United Stasi Of America. Thank God.

If I commissioned a poll asking this question:"Would you allow the government to put a GPS tracking chip in your brain and transmit all your thoughts to the NSA - if it prevented a rabid laplander from biting your nuts off?"
this proposal would surely get more than 53 percent approval...

What was the 'enormous breakthrough' Bamford unknown to the public. What was the 'enormous breakthrough' Bamford claims they made several years ago?

If I remember it correctly it was that the NSA had cracked RSA and it was discussed on this blog some time ago.

However the chances are it was a misunderstanding of the route from A to B when all you have is the idea of B not the reality.

Let me put it this way if you regularly or even occasionaly see documents that cross your desk that shows that a message protected by symetric encryption where the encryption key has been passed by the use of RSA then you might conclude that the NSA had broken either the symetric encryption or RSA algorithms.

In fact neither need be true, and in practice it is more likely to be due to implementation issues.

We know that AES and RSA implementations have had considerable problems due to key leakage due to time based side channels (it's why I keep telling people not to use encryption on "Online PCs" but to encrypt on an "Offline PC" and take the ciphertext file to the Online PC via "sneaker net").

However there is another less talked about issue which is the quality of random number generators. Most are actually not that good for a whole host of reasons, but they nearly all suffer from one significant failing, which is "initial startup entropy".

That is the first time you start up a random number generator it has no entropy of any type, and it needs time to obtain it. The question thus becomes,

How long do you have to wait to get Crypto Security levels of entropy before you use the generator?

The answer is simple to say "It depends on the entropy source" but extreamly difficult to quantify.

If you consider Embedded Systems or Software Packages which have their own random number generators it is easy to see that there may be very little or no real entropy in the initial setup when master keys are generated...

Thus master keys may be quite predictable to within a few bits. Such information is likely to be very valuable to the likes of the NSA.

Now there is an issue with the RSA secret and public keys, whilst it can take a very very long time to factor them using even the best of publicaly known methods, it takes virtually no time at all to determin if two or more public keys share a common prime.

In fact researchers have harvested many public keys off of the internet and shown that there are very many that do indeed share a common key.

And these common prime keys can all be very quickly broken once you have factored just one public key.

Now as noted factoring can take a very very long time, unless that is you have a short cut...

With a little thought you will realise that a weak random number generator in a product provides just such a short cut. Which I'm sure the likes of the NSA, GCHQ or other tier one government security agencies would have been busy exploiting.

So whilst it is unlikely the NSA has broken RSA the end result of a short cut due to lack of entropy in the selection of the primes due to poor random number generator design/usage would make it appear as though they have...

So as I frequently say about forensics "Whilst you can reason logicaly from known cause to probable effect, you can't usefully or reliably reason from known effect to probable cause.

Thus I could be wrong, and the NSA might have broken RSA, we certainly know from (suspected) US government malware used as a "cyber-weapon" that the malware developers (appear to) know of another way to find collisions in hashes used as part of the code signing process...

All that said as Bruce has pointed out on numerous occations,

1, Attacks only improve with time.
2, A system is only as strong as it's weakest link.

Figureitout, I don't know what's going on with you these last few days, but your comments have become incredibly belligerent. If you had less history here I'd ban you right now, but you've been around a while, and this is unlike you. So I'll give you one chance to get hold of yourself. Take a break if you need it, start ignoring Nick P and Wael if you need to, do whatever you need to do to calm down before you comment again. If you can't, I will ban you without further warning.

@Nick P - I don't want to give the content-free fraudulent nonsense of psychology any more credit than it deserves (it has the same statistical basis as Scientology or homeopathy), but there is no evidence whatsoever that Snowden is a 'Type A' personality.

He made clear that his high school results were poor (he didn't finish - he got a GED later), and joining the Reserve military as an OR is hardly evidence of a guy who thinks he's eating the breakfast of champions.

However this is where it gets interesting: how does a guy with his 'sheet' get a gig at the CIA and then the NSA? And from there, a clearance to even get to VIEW documents of the type he has leaked?

For comparison: my sister (a former Senior Advisor to the Australian Prime Minister) was told she was unlikely to be cleared to the level required to get a very-senior post at the DSD (Defence Signals Directorate - Australia's NSA) despite having been military her whole life (first as a soldier, then as a very senior defence bureaucrat), having a first-class set of academic achievements, a stable home life, a flawless criminal and financial record and no skeletons that would enable her to be suborned (and ditto all that for her husband, her parents and so forth).

(To be frank, her problem might have been that she is related to me - I'm a known anarchist ratbag of the first water, a fervent supporter of all attempts to undermine the megalomaniacal parasitic sociopaths of .gov, and a despiser of all 'high end' NTRs ['net tax recipients'] - the REAL 'welfare queens' of society).

In a way it was good for Sis because she got recruited to an international consultancy and quadrupled her salary anyhow - which is about the same as happened to Snowden (GS-5/GS-6 goes for $45-$50k a year; BAH was paying him $122k plus-package. Sis was - roughly - equivalent to SES-II in the US system, i.e., GS-15step1 plus 35%).

She's still part of a clique that shoves its blood funnel into any pot of tax money they can find and sucks it dry, but now ostensibly in the private sector.

Funny. True in many cases. I might have to think on that a bit in the future.

"Having failed to get the response you seek at a local level, in that sort of job, most people moved to take the next step and leak might think they have the fibre to go into silent running mode and tough out the search for the leak but I'd guess few would be capable (the same quality the motivates someone to speak out probably means they'll fail a lie detector)"

One or more other commenters mentioned the lie detector test. That combined with him thinking he doesn't have what it takes to stealth it out might justify him going for a big spash. I'll take that as successful refutation of my criticism that he play it stealthy and long-term. It might have been impossible for him personally. My other claims are still open.

@ Dirk Praet

Thanks for the review. I originally avoided replying to it b/c I wanted to let it stand on it's own, letting others read our stuff & form their own opinion. I just knew you'd have something insightful and experienced to add. ;)

Good points on the tech and collaborators carelessness. A terrible assumption of the old days is that you have to trust your partners to be as good at COMSEC and OPSEC as you are. This often doesn't pan out. You're probably right that it was high risk in his case.

" We all know about MLS, PoLP, RBAC, segregation of duties and the like, but it's a damn hard thing to do and maintain. I've seen some decent ones on missions at certain military customers and at one nuclear facility, but most of the time, well .... "

It's tough to do and I find it tough to explain the right way to do it sometimes. Especially on setting it up in a way that maximizes what security the organization can get without stopping work from getting done or accidentally encouraging users do end runs around it. It's one of the few things I don't have many good books or references on. So far, I give people some academic descriptions, some critiques showing problems in commercial space, and some tips on avoiding problems. You know of any resources that bridge theory and practical examples for people new to it? Any on practical use of MAC in commercial sector might be interesting too.

@ Dirk and Kratoklastes re his personality/psychology

I figure with two responses about this I should clarify. My original post described his bosses as Type A personalities. It was speculation based on what kinds of people often run defense type organizations. I'm not saying they are for sure, but I bet they share a disdain for whiney subordinates griping about their lucrative job.

As for Snowden, I wasn't saying he had a bad history or anything. He comes off as OK as Dirk noted. I'm alluding the fact that he was complaining to people about the nature of their work. He talked like he tried plenty. So, we have a guy with a high clearance doing administration work on a mission critical, secret program that's telling quite a few people it's wrong, it should end, there should be more controls, etc. In many large, rigid organizations this gets labelled disillusioned, disgruntled or rattling the cage. It doesn't score well with HR and if a leak is suspected it might increase his risk of detection. So, I was opposed to that because... what did he think was going to happen?

Of course, as a few of you noted he was feeling more than thinking so it was probably almost a compulsion for him. It would be too late to take back by the time he came to his senses and considered caution, if he did so. He made it all irrelevant, though, by dropping the big leak and IDing himself.

Firstly another thought for you on things that might have caused him to come out.

When managments have Witch Hunts a lot of innocent people get burned one way or another. The more control freakish and inadiquate the senior managment are the worse it gets (and lets face it the current POTUS can easily be desicribed that way).

You only have to look at history to see this the worst offenders of the 20th centuray that were well documented were Stalin and Hitler, but you can be absolutely sure their predicessors were almost as bad, and many others such as Pohl Pot etc did the same, as do nearly all tyrants and dictators.

In the 21st Century you only have to look at how Tony Blair (UK PM) behaved when a supposadly impartial civil servent told a journalist --quite accuratly as we now know-- that the supposed Iraq WMD of Sadam Hussain was at best a myth (which also Hans Blix had repetedly said). The guy ended up dead in vary suspicious circumstances which looked like an attempt to "suicide" him (experianced medical staff have pointed out significant issues against it being actual suicide). Not only was the journalist hounded out of his job, but Tony Blair decided to "score settle" against the BBC in various ways that are still having significant disruptive effects.

Anyone who has been close to a Witch Hunt knows it's both a time of fear and oportunity where petty scores can be settled with just a few words and where even the most innocent of statment is used to divine an ill intent that is not nor ever was there (see Cardianl Richelue's "give me six lines..." statment). A study of Senetory McArthy's well documented little anti-American activities enquiry will give ampple examples.

By putting up his hand he now acts as a lightening rod for much of the official ire and most of his former colleagues are spared a witch hunt.

I'm not making him out to be a Hero or of making self sacrifice, just part of his sofar demonstrated intent to do minimal harm.

Secondly I've met a few people who have been declaired heros by others, I've never found them to be stupid almost always their reasoning was doing what they saw as a duty of care to those around them. Most don't even consider themselves to be brave just doing what they think others in the same position as themselves would do.

Thirdly with regards problems with security mechanisms involving humans. Whilst we security "nerds" know security rights should be the minimum required for a specific role/function we tend in our geeky way to forget there are significant human issues involved. Primarily the one where people do strange things like prefere flash job tittles to pay increasess, it's often called "status". Well sadly many people regard their security rights as being akin to their job title as a "badge of honour" it also confers on them both perceived and actuall advantage. Revoking rights is thus a very touchy subject and managment know that it can be a strong demotivator and thus tend to recomend not doing it for all sorts of spurious reasons.

You asked for other published opinions around the PRISM issue. The Wed 12 June 2013 edition of the "Wall Street Journal" has an opinion piece by Holman W Jenkins Jr., "Let's Rescue Metadata from the Spy Agencies". (Page A15).

(Don't have a URL)

He makes the economic point about the amount government spends to save a single life (US FDS $7.9M, US EPS $9.1M). He asks how anti-terrorist programs since 9/11 compare to this?

He then goes onto to ask how much would "PRISM" be worth in reducing day-to-day crime, eg the Aurora, CO shootings. Prior metadata analysis of the internet activity of the alleged shooter would show exam failure, withdrawing from grad school, counselling, buying multiple weapons, buying clips and applying to join a gun club.

He mentions the false positive issue, but doesn't really address it.

As Bruce requested, whatever you think of Jenkins' arguments, it is another contribution to the debate.

Classified: Secrecy and the State in Modern Britain, Christopher Moran, University of Warwick. Cambridge University Press, January 2013

ISBN:9781107000995

This is a professional historian looking at the issues around classification in the British Government. Good general background, but some specific contributions too:

1. the way in which the 1911 Official Secrets Act was engineered by Whitehall (ie the UK senior civil service) responding to the wave of

2. The way in which different standards were applied to senior politicians writing their memoirs compared to civil servants and military officials. By British political convention, a Cabinet member (a senior Government minister) has access to the papers of the Cabinet in which they served for life. Lloyd-George and Churchill both used this, but Churchill's cabinet secretary was never allowed to publish memoirs. Some of this was to avoid political embarrassment.

3. There was a major campaign against Chapman Pincher, claiming he published secrets to the enemy (recognise the argument?). Pincher himself, interviewed for the book, points out that he did know a lot of real secrets, but that he was very careful to keep them. He thinks that saving politicians blushes was more important.

One of Moran's point is that official secrecy was often used to suppress things the government of the day did not like, not that were damaging to the state during the Cold War.

You know of any resources that bridge theory and practical examples for people new to it? Any on practical use of MAC in commercial sector might be interesting too.

The short answer to that would be no. I know you don't care too much for Trusted Solaris (Extensions), but back in the day when it started to gain traction with the usual suspects, whe had a really good team that was well-versed both in the technical and the functional aspects of setting up MAC in MLS-environments. I was fortunate enough to be able to work with one of only a handful of people officially licensed to teach the courses and who pretty much wrote the book on it. FS was the typical oddball, scatter-brain genius who could solve the most impossible of problems in the blink of an eye as long as he found them interesting, and in that capacity was a welcome and highly respected guest at quite a handfull of US/UK TLA's and military organisations trying to get their MAC/MLS right.

He and his padawan BB at some point fell out of love with Sun as the organisation started to crumble and treating the technical staff as lower lifeforms. I believe to date he's making a mint writing (undoubtedly very special) code for a financial institution.

I'm not sure either of them could help out today, but there is at least one other person making the odd comment on this blog from time to time whom I know probably could. I'll give him a ping about it.

"The short answer to that would be no. I know you don't care too much for Trusted Solaris (Extensions),"

I didn't when I was entirely focused on high assurance. Most B2-A1 type products are dead now. OpenVMS was just EOLed too. (R.I.P.) There's less and less available for high security or reliability. Argus Technologies was the last set of MAC/CMW type products I looked at. They mainly use Trusted Solaris. Without higher assurance options, I'm much more open these days to products based on TSolaris or SELinux. Low to med assurance mandatory controls are better than no mandatory controls.

"FS was the typical oddball, scatter-brain genius who could solve the most impossible of problems in the blink of an eye as long as he found them interesting, and in that capacity was a welcome and highly respected guest at quite a handfull of US/UK TLA's and military organisations trying to get their MAC/MLS right."

I love those kinda people. One got me started in INFOSEC.

"He and his padawan BB at some point fell out of love with Sun as the organisation started to crumble and treating the technical staff as lower lifeforms. I believe to date he's making a mint writing (undoubtedly very special) code for a financial institution. "

And that usually happens to them. My friend had a similar fate.

"I'm not sure either of them could help out today, but there is at least one other person making the odd comment on this blog from time to time whom I know probably could. I'll give him a ping about it. "

Might be interested in that. To be extra clear, though, I'm not talking about applying MAC and MLS technology in military environments. My long time mission was increasing assurance in commercial sector. I'm mainly looking into principles, tricks and case studies of MAC or MLS application that might benefit businesses of different sizes protecting confidentiality and integrity of data. There's products available, but how to use them without putting the organization in a straight jacket, you know?

Military and commercial often have to deal with similar problems. So, I'm sure there's people working defense who might have good ideas to contribute. The results must work in commercial sector, though. My hope is to glean enough useful guidelines and information to write-up something future businesses can use.

"The short answer to that would be no. I know you don't care too much for Trusted Solaris (Extensions),"

I didn't when I was entirely focused on high assurance. Most B2-A1 type products are dead now. OpenVMS was just EOLed too. (R.I.P.) There's less and less available for high security or reliability. Argus Technologies was the last set of MAC/CMW type products I looked at. They mainly use Trusted Solaris. Without higher assurance options, I'm much more open these days to products based on TSolaris or SELinux. Low to med assurance mandatory controls are better than no mandatory controls.

"FS was the typical oddball, scatter-brain genius who could solve the most impossible of problems in the blink of an eye as long as he found them interesting, and in that capacity was a welcome and highly respected guest at quite a handfull of US/UK TLA's and military organisations trying to get their MAC/MLS right."

I love those kinda people. One got me started in INFOSEC.

"He and his padawan BB at some point fell out of love with Sun as the organisation started to crumble and treating the technical staff as lower lifeforms. I believe to date he's making a mint writing (undoubtedly very special) code for a financial institution. "

And that usually happens to them. My friend had a similar fate.

"I'm not sure either of them could help out today, but there is at least one other person making the odd comment on this blog from time to time whom I know probably could. I'll give him a ping about it. "

Might be interested in that. To be extra clear, though, I'm not talking about applying MAC and MLS technology in military environments. My long time mission was increasing assurance in commercial sector. I'm mainly looking into principles, tricks and case studies of MAC or MLS application that might benefit businesses of different sizes protecting confidentiality and integrity of data. There's products available, but how to use them without putting the organization in a straight jacket, you know?

Military and commercial often have to deal with similar problems. So, I'm sure there's people working defense who might have good ideas to contribute. The results must work in commercial sector, though. My hope is to glean enough useful guidelines and information to write-up something future businesses can use.

With the advent of big data and deep mining tools, those who have access to this information and are able to correlate it all in quick time, can actually make big gains. Eg: There is nothing to stop a corrupt government employees or politicians from monitoring stock brokerages for tips ahead of the time to place their trades on the stock market. The possibilities are frightening and very imaginative. And obviously, it is the government who can afford to create this kind of surveillance infrastructure. The future is bleak indeed.

@ Nick P
You are interested in fine-grained MAC?
Read this carefully, several
times. (I still do, and find something new each time.)
Maybe you will find some principles in this paper that applies to your problem domain.
As always, Schneier's law applies and comments are welcome.

Americans are so damn worried about their privacy that they make me sick. Bitching for the sake of bitching. If the NSA keeps you alive why would you worry about the recipe you sent your daughter or the invite to play golf with your son falling into the NSA's hands. Who gives a rat's ass. Get a life.

J.F. Mitchell, apparently you are British and content with slavery and being spied upon at all hours of the day and night by your government (if you are not British your country is obviously under British rule; If you are are of American origin and espousing such hatred for your heritage get a passport and leave this Country). The British system of government is the reason my English ancestors (who were persecuted Quakers) fled the Monarchy in the 1750's and became instrumentally recorded with the battle of Lexington/Concord on April 19, 1775, when my freedom loving brethren beat down the Monarchies slaves to end the war of all wars for freedom. I've dealt with your ilk on American gun rights in the past, and is it no suprise that I can honestly say you are a "No-Nothing". This country has become a cesspool of the Monarchy you love and adore, totalitarianism and Socialism. In fact, the NSA is has now become the KGB of the 21'st Century. Get a life, J.F. Mitchell, really...you should get a life and escape the uneducated servitude that has been instilled upon you since birth. Freedom is bliss, not ignorance. Peace.

Observe that the metadata can instantly make you a target. Surf to the whistleblower advice and protection sites. All of your other contacts become relevant: have you talked to any reporters? A circumstantial case can be made against you without ever reading the content. At least a strong enough case to justify a drone strike.

What right does an individual narcissist have to decide on his own what should be made secret or shared with the enemies of our country? The ones who have come to light lately are too young or too uneducated to know history. Most have never done a single thing for our country of any value to themselves or to the rest of us.

Do I want a 29 year old dropout with a GED deciding whether or not I will be subject to attacks by the Russians or the Chinese, or the Taliban? No, I don't think so.

Why did the latest ratout flee to Hong Kong if what he wanted was to save the world by publishing the methods of our intelligence services?

Is there anyone so naive as to not know what was going on and has been going on for decades.

This kind of infantile activity reminds me of the statement of the Secretary of State just prior to WWII: "Gentilemen do not read each other's mail." Well, we have been reading each other's mail for eons, and anyone who doesn't know that is an idiot — and anyone who substitutes his or her judgement for activity authorized by the congress and the presidident and supvervised by the court has broken the laws our country and perhaps committed treason.

Google has more information of a personal nature on all of us than does the U.S. government.

Not in the same universe in regards to IT capabilities as my fellow contributors however I am amazed that no revelations of white collar crime have been stumbled upon with all of this captured data. I must get out of retirement.